f300dd2ebccab58de976d51cd8705ee7e11408378166fb4acb7156951d47e2f2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Size

244KB
MD5

c8871e4f53594292e29559ad58e817c0
SHA1

0b52fce6a0ca683d57bcf04cc893a93ac763144b
SHA256

f300dd2ebccab58de976d51cd8705ee7e11408378166fb4acb7156951d47e2f2
SHA512

235577bfc78f6029fe55aea00b0d0c0d4d3af58d0bd5c53dd36dc982438b87156620cd8a5baeac763c752f7dcd784ceb5ba6df41ae537406a91b9a4238e0aa6a
SSDEEP

6144:X42FMaP+6+tT/JBnjBE3XwfSZ4sXRzQI6F:IKbGlJBjBEnwuEI6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
1048	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
908	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
828	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
2064	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
980	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
1832	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
960	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
2152	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
1072	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
1016	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
3044	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
1048	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
1048	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
908	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
908	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
828	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
828	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
2064	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
2064	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
980	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
980	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
1832	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
1832	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
960	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
960	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
2152	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
2152	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
1072	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
1072	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
1016	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
1016	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x000c0000000141c0-5.dat	upx
behavioral1/memory/2364-13-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2372-14-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2372-27-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2772-42-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2600-43-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2600-57-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2240-58-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2240-72-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2832-73-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2832-86-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2444-101-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2952-110-0x0000000000300000-0x000000000033C000-memory.dmp	upx
behavioral1/memory/2952-115-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2176-130-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/952-131-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0007000000014abe-138.dat	upx
behavioral1/memory/952-144-0x0000000000270000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/952-146-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1208-147-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1208-162-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2764-163-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2764-176-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1556-191-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2964-198-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2964-206-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1104-221-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/268-222-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/268-236-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1048-247-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/908-257-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/828-258-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/828-270-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2064-280-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/980-290-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1832-296-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1832-301-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/960-311-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2152-321-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1072-331-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1016-337-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1016-342-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/3044-343-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 376643897b386bb7	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2372	2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	28
PID 2364 wrote to memory of 2372	2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	28
PID 2364 wrote to memory of 2372	2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	28
PID 2364 wrote to memory of 2372	2364	c8871e4f53594292e29559ad58e817c0_NEIKI.exe	28
PID 2372 wrote to memory of 2772	2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	29
PID 2372 wrote to memory of 2772	2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	29
PID 2372 wrote to memory of 2772	2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	29
PID 2372 wrote to memory of 2772	2372	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe	29
PID 2772 wrote to memory of 2600	2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	30
PID 2772 wrote to memory of 2600	2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	30
PID 2772 wrote to memory of 2600	2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	30
PID 2772 wrote to memory of 2600	2772	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe	30
PID 2600 wrote to memory of 2240	2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	31
PID 2600 wrote to memory of 2240	2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	31
PID 2600 wrote to memory of 2240	2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	31
PID 2600 wrote to memory of 2240	2600	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe	31
PID 2240 wrote to memory of 2832	2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	32
PID 2240 wrote to memory of 2832	2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	32
PID 2240 wrote to memory of 2832	2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	32
PID 2240 wrote to memory of 2832	2240	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe	32
PID 2832 wrote to memory of 2444	2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	33
PID 2832 wrote to memory of 2444	2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	33
PID 2832 wrote to memory of 2444	2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	33
PID 2832 wrote to memory of 2444	2832	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe	33
PID 2444 wrote to memory of 2952	2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	34
PID 2444 wrote to memory of 2952	2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	34
PID 2444 wrote to memory of 2952	2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	34
PID 2444 wrote to memory of 2952	2444	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe	34
PID 2952 wrote to memory of 2176	2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	35
PID 2952 wrote to memory of 2176	2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	35
PID 2952 wrote to memory of 2176	2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	35
PID 2952 wrote to memory of 2176	2952	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe	35
PID 2176 wrote to memory of 952	2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	36
PID 2176 wrote to memory of 952	2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	36
PID 2176 wrote to memory of 952	2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	36
PID 2176 wrote to memory of 952	2176	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe	36
PID 952 wrote to memory of 1208	952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	37
PID 952 wrote to memory of 1208	952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	37
PID 952 wrote to memory of 1208	952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	37
PID 952 wrote to memory of 1208	952	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe	37
PID 1208 wrote to memory of 2764	1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	38
PID 1208 wrote to memory of 2764	1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	38
PID 1208 wrote to memory of 2764	1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	38
PID 1208 wrote to memory of 2764	1208	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe	38
PID 2764 wrote to memory of 1556	2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	39
PID 2764 wrote to memory of 1556	2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	39
PID 2764 wrote to memory of 1556	2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	39
PID 2764 wrote to memory of 1556	2764	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe	39
PID 1556 wrote to memory of 2964	1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	40
PID 1556 wrote to memory of 2964	1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	40
PID 1556 wrote to memory of 2964	1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	40
PID 1556 wrote to memory of 2964	1556	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe	40
PID 2964 wrote to memory of 1104	2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	41
PID 2964 wrote to memory of 1104	2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	41
PID 2964 wrote to memory of 1104	2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	41
PID 2964 wrote to memory of 1104	2964	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe	41
PID 1104 wrote to memory of 268	1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	42
PID 1104 wrote to memory of 268	1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	42
PID 1104 wrote to memory of 268	1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	42
PID 1104 wrote to memory of 268	1104	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe	42
PID 268 wrote to memory of 1048	268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	43
PID 268 wrote to memory of 1048	268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	43
PID 268 wrote to memory of 1048	268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	43
PID 268 wrote to memory of 1048	268	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
  c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
    c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
      c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2600
    - - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1048
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:908
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:828
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2064
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:980
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1832
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:960
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2152
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1072
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1016
        
        \??\c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
        
        c:\users\admin\appdata\local\temp\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe

Filesize
244KB

MD5
fe808b8bdc564c7c34ce727db991c6ee

SHA1
8af078f6a5f1afca67cadd18e1db8e96e32c779f

SHA256
5a3168d4a21ab7075de9751bbe8fe1024d27631a7605799b964c9525d68bdbc9

SHA512
7f17b7b75a40c9c198db4800c1737affc21e99f5df67abaf4bb9e9825d3939ac6bec6fa69167c0270389197093d3a85d90865cd93b2c60db3981bdd4176efe1a

Download Submit
\Users\Admin\AppData\Local\Temp\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe

Filesize
244KB

MD5
b77f8eeeb57fafff4ea3eed34ed53d2f

SHA1
a3223bbed3ec3d9c362c3e4a420db1a0ef4977e8

SHA256
dcd8aa644a3a1d344618750f2caf0a0d97740c526b645aa78afcc1ffd47810c1

SHA512
1d572316d5c3f4393b71837529028a5fe602c880e28e675cccc62e03714a1dc006341bfd339c9d459eb00f63ad18d56d0795c6181977fd3745f60d305bbe0ea2

Download Submit
memory/268-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/268-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/828-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/828-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/828-268-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/828-269-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/908-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-144-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/952-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/980-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1048-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1208-156-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/1208-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1208-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2600-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2600-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-110-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2964-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-201-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/3044-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202y.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202l.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202p.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202d.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202x.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202j.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202n.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202c.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202.exe\""	c8871e4f53594292e29559ad58e817c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202g.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202i.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202t.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\c8871e4f53594292e29559ad58e817c0_neiki_3202w.exe\""	c8871e4f53594292e29559ad58e817c0_neiki_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads